We’ve been seeing a lot of recent website infections that use highly obfuscated javascript code that decodes to a domain: yourblenderparts.ru:8080.

Many other domains are used as well such as:

superbblender.ru

thesuperpager.ru

superroadmap.ru

supersupermall.ru

theblendertv.ru

theblendertutorial.ru

excellentblender.ru

thechocolateweb.ru

whosaleonline.ru

worldmusicmagazine.ru

thelaceweb.ru

webdesktopnet.ru

sugaryhome.ru

homesaleplus.ru

worldmusicmagazine.ru

greatwebradio.ru

avattop.ru

recentmexico.ru

cobalttrueblue.ru

webnetenglish.ru

newusaguide.ru

livesitedesign.ru

sitemape.ru

samuest.ru

pokesack.ru

royalbling.ru

retireterrify.ru

thesuperexchange.ru

snoreflash.ru

royalbling.ru

forredtag.ru

newvillagefresh.ru

hotnewgirl.ru

yoursuperpool.ru

buytheblender.ru

The infectious code we found was at the bottom of index.php files obviously with the <script></script> tags and generally the same code was found at the bottom of various .js (javascript) files without the script tags.

In the obfuscated code there’s usually a number of strings that look like:

if (a!=” && a=’b’){a=null}

There are of course variances to this. The variable ‘a’ can be any letter or even an underscore “_” and may consist of two letters either upper or lowercase. The variable ‘b’ can be any letter or underscore and can actually be one or two characters and may or may not be uppercase. Other than that, they’re exactly the same.

This format will be found in the malscript in a number of places but obviously with different variables.

The string of characters that all this code works on can be in hex format, for instance:

var I=”\x68\x74\x74\x70\x3a\x2f\x2f…” (which is actually “http://”)

or it might be something like:

var M=”hOtFtOp:O/O/…” (which, when you remove the uppercase characters is actually “http://”)

In the obfuscated malscript there is also a number of variable declarations. You’ll find things like:

var vM=new Array()

var j=new String() (sometimes with a value inside the parenthesis)

var Z=window

var K=new Date()

var G=new Regexp(…)

var QF=document

When I see a variable declaration like: var Z=window or var QF=document, I know that somewhere in the malscript I’ll see something like: z.location or QF.write. This is a common obfuscation technique of the hackers.

In all the cases we’ve worked on with this type of infection, it’s been the result of a virus that has stolen the FTP passwords from a PC with FTP access to the website.

We’ve written about this before, but here are the steps to follow to prevent this from happening again.

Install a new anti-virus program. The reason is that it’s obvious that the current anti-virus software didn’t detect anything. Often times these viruses “learn” how to evade detection from the currently installed anti-virus software. Therefore, something new and different is needed to find and remove it. Many have had good results with one of the following: Kaspersky, Avast or Vipre (Sunbelt Software).

Change all FTP passwords. I recommend creating a new FTP account for everyone or for every PC that will be accessing the website. Then be sure that FTP logging is activated. This is important. If your website gets infected again, you can look in the logs to see who has the virus. If there’s a user named john and his username shows up in the logs from somewhere across the world, you can safely assume that it’s his username that’s been compromised.

That’s it. 2 steps. It’s easier to prevent your site from being infected than it is to recover from an addiction.

If you have more domains to add to this or would like to comment, please do so. You can leave a comment below or you can email direct at traef@wewatchyourwebsite.com